Guessing your Android unlock pattern is way too easy

Android unlock patterns might be fun to use, but they’re not that secure.

A recent study from the U.S. Naval Academy and the University of Maryland, Baltimore County revealed that it’s incredibly easy to figure out someone’s passcode pattern just by peeking over their shoulder (“shoulder surfing”) while they enter it.

The researchers recruited almost two thousand subjects to watch over-the-shoulder videos of pattern and PIN unlocking, and attempt to reproduce each.

The researchers found that attackers were able to successfully enter another user’s phone after just one observation in a whopping 64.2 percent of cases when using a pattern. PINs weren’t foolproof, but were still safer, with a single observation only 10.8 percent likely to lead to a successful attack.

The study examined unlock patterns in the Nexus 5 and the OnePlus One. It also found that smaller phones and—surprise!—longer unlock patterns are less susceptible to over-the-shoulder surveillance.

The findings were published in a paper called Towards Baselines for Shoulder Surfing on Mobile Authentication, written for the Annual Computer Security Applications Conference, which will take place in early December.

The study, while the first to compare shoulder surfing of PIN vs. Android unlock patterns, is not the first to measure the efficacy of both methods. Researchers found earlier this year that hackers can use incredibly effective computer vision software to capture your pattern. And in 2010, Penn State researchers found that a pattern code can be identified from smudges on screens 68 percent of the time.

All this research backs the idea that a PIN is the way to go

“These results support what we as a community have believed to be true anecdotally, and further demonstrates that current authentication methods provide stronger security against shoulder surfing than one might expect.”

The study’s primary conclusion is clear: skip the pattern, set a passcode. If you’re wed to your pattern, there are a few other things you can do to reduce shoulder-surfing risk.

First, eliminate “feedback lines,” the colored lines that illuminate your finger’s path through the pattern. These lines make it easier for shoulder surfers to make out your pattern. With user’s feedback lines removed, hackers were only able to access the phone around 35 percent of the time. You can do this in your Settings.

Second, make sure to set a six-digit pattern, which is obviously harder to crack than a four-digit pattern.

These changes will take a few minutes of your life, but your phone’s data may thank you later.

About This Site

This site is provided free, as is, without support and without ads. It is useful for Security teams who need to keep up to date with Infosec news. Information is automatically fetched and there is no guarantee of accuracy on any content on this site.